Skip to content

Commit ef24c79

Browse files
jess-lowejess-lowe
authored
fix: assuming one value means fixed should be last affected, and remove CNA qualifier for parsing attempt (#4078)
fixes: - Incorrect assumption that if only one version provided, it means fixed, but should be last affected - Stop using CNA assigner as a qualifier to attempt to extract structured versions from a single version field.
1 parent dff5153 commit ef24c79

File tree

2 files changed

+19
-24
lines changed

2 files changed

+19
-24
lines changed

vulnfeeds/cmd/cvelist2osv/version_extraction.go

Lines changed: 17 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -216,7 +216,7 @@ func extractVersionsFromAffectedField(affected cves.Affected, cnaAssigner string
216216
return findInverseAffectedRanges(affected, cnaAssigner, metrics)
217217
}
218218

219-
return findNormalAffectedRanges(affected, cnaAssigner, metrics)
219+
return findNormalAffectedRanges(affected, metrics)
220220
}
221221

222222
// findInverseAffectedRanges calculates the affected version ranges by analyzing a list
@@ -288,7 +288,7 @@ func findInverseAffectedRanges(cveAff cves.Affected, cnaAssigner string, metrics
288288
return nil, VersionRangeTypeUnknown
289289
}
290290

291-
func findNormalAffectedRanges(affected cves.Affected, cnaAssigner string, metrics *ConversionMetrics) (versionRanges []osvschema.Range, versType VersionRangeType) {
291+
func findNormalAffectedRanges(affected cves.Affected, metrics *ConversionMetrics) (versionRanges []osvschema.Range, versType VersionRangeType) {
292292
versionTypesCount := make(map[VersionRangeType]int)
293293

294294
for _, vers := range affected.Versions {
@@ -344,20 +344,19 @@ func findNormalAffectedRanges(affected cves.Affected, cnaAssigner string, metric
344344
// in one line instead - like "< 1.5.3" or "< 2.45.4, >= 2.0 " or just "before 1.4.7", so check for that.
345345
metrics.Notes = append(metrics.Notes, "Only version exists")
346346
// GitHub often encodes the range directly in the version string.
347-
if cnaAssigner == "GitHub_M" {
348-
av, err := git.ParseVersionRange(vers.Version)
349-
if err == nil {
350-
if av.Introduced == "" {
351-
continue
352-
}
353-
if av.Fixed != "" {
354-
versionRanges = append(versionRanges, buildVersionRange(av.Introduced, "", av.Fixed))
355-
} else if av.LastAffected != "" {
356-
versionRanges = append(versionRanges, buildVersionRange(av.Introduced, av.LastAffected, ""))
357-
}
358-
}
359347

360-
continue
348+
av, err := git.ParseVersionRange(vers.Version)
349+
if err == nil {
350+
if av.Introduced == "" {
351+
continue
352+
}
353+
if av.Fixed != "" {
354+
versionRanges = append(versionRanges, buildVersionRange(av.Introduced, "", av.Fixed))
355+
continue
356+
} else if av.LastAffected != "" {
357+
versionRanges = append(versionRanges, buildVersionRange(av.Introduced, av.LastAffected, ""))
358+
continue
359+
}
361360
}
362361

363362
if currentVersionType == VersionRangeTypeGit {
@@ -375,10 +374,10 @@ func findNormalAffectedRanges(affected cves.Affected, cnaAssigner string, metric
375374
continue
376375
}
377376

378-
// As a fallback, assume a single version means it's the fixed version.
377+
// As a fallback, assume a single version means it's the last affected version.
379378
if vQuality.AtLeast(acceptableQuality) {
380-
versionRanges = append(versionRanges, buildVersionRange("0", "", vers.Version))
381-
metrics.Notes = append(metrics.Notes, fmt.Sprintf("%s - Single version found %v - Assuming introduced = 0 and Fixed = %v", vQuality, vers.Version, vers.Version))
379+
versionRanges = append(versionRanges, buildVersionRange("0", vers.Version, ""))
380+
metrics.Notes = append(metrics.Notes, fmt.Sprintf("%s - Single version found %v - Assuming introduced = 0 and last affected = %v", vQuality, vers.Version, vers.Version))
382381
}
383382
}
384383

vulnfeeds/cmd/cvelist2osv/version_extraction_test.go

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,6 @@ func TestFindNormalAffectedRanges(t *testing.T) {
111111
},
112112
},
113113
},
114-
cnaAssigner: "test",
115114
wantRanges: []osvschema.Range{
116115
buildVersionRange("1.0", "", "1.5"),
117116
},
@@ -128,9 +127,8 @@ func TestFindNormalAffectedRanges(t *testing.T) {
128127
},
129128
},
130129
},
131-
cnaAssigner: "test",
132130
wantRanges: []osvschema.Range{
133-
buildVersionRange("0", "", "2.0"),
131+
buildVersionRange("0", "2.0", ""),
134132
},
135133
wantRangeType: VersionRangeTypeSemver,
136134
},
@@ -144,7 +142,6 @@ func TestFindNormalAffectedRanges(t *testing.T) {
144142
},
145143
},
146144
},
147-
cnaAssigner: "GitHub_M",
148145
wantRanges: []osvschema.Range{
149146
buildVersionRange("2.0", "", "2.5"),
150147
},
@@ -161,7 +158,6 @@ func TestFindNormalAffectedRanges(t *testing.T) {
161158
},
162159
},
163160
},
164-
cnaAssigner: "test",
165161
wantRanges: []osvschema.Range{
166162
buildVersionRange("deadbeef", "", ""),
167163
},
@@ -171,7 +167,7 @@ func TestFindNormalAffectedRanges(t *testing.T) {
171167

172168
for _, tt := range tests {
173169
t.Run(tt.name, func(t *testing.T) {
174-
gotRanges, gotRangeType := findNormalAffectedRanges(tt.affected, tt.cnaAssigner, &ConversionMetrics{})
170+
gotRanges, gotRangeType := findNormalAffectedRanges(tt.affected, &ConversionMetrics{})
175171
if diff := cmp.Diff(tt.wantRanges, gotRanges); diff != "" {
176172
t.Errorf("findNormalAffectedRanges() ranges mismatch (-want +got):\n%s", diff)
177173
}

0 commit comments

Comments
 (0)